[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [entity-resolution] Re: OASIS - Catalog Threat ?
I'm with Norm--I don't understand the comment, I don't see a problem, and I don't want to change the default of the prefer attribute (which is implementation dependent). paul > -----Original Message----- > From: Norman Walsh [mailto:ndw@nwalsh.com] > Sent: Tuesday, 2007 February 06 15:59 > To: mary.mcrae@oasis-open.org > Cc: entity-resolution@lists.oasis-open.org; 'Carol Geyer' > Subject: [entity-resolution] Re: OASIS - Catalog Threat ? > > / "Mary McRae" <mary.mcrae@oasis-open.org> was heard to say: > | Hi Lauren, > | > | This email was sent to communications (Carol Geyer). > | > | Regards, > | > | Mary > | > |> > |> -----Original Message----- > |> From: Steven J. Hathaway [mailto:shathawa@e-z.net] > |> Sent: Sunday, February 04, 2007 12:28 PM > |> To: communications@oasis-open.org > |> Subject: OASIS - Catalog Threat ? > |> > |> I recommend that (Sec: 4.1.1) of the OASIS entity resolver > |> catalog specification be revised to help avoid the > |> development of products that have misleading identifier trust. > |> > |> OASIS is a general entity resolver and catalog. It can now > |> be used with XML. The specification document (Sec: 4.1.1) > |> describing the 'prefer' attribute may harbor a security > |> threat related to identifier trust. > |> > |> Normally, the Public identifiers have global scope, and > |> therefore a high probability of trust. The System > |> identifiers normally have a restricted scope - that of a > |> specific system - and therefore do not have the global trust. > |> > |> When a document is passed between systems, it is undefined > |> what the scope of System identifier implies. Herein lies an > |> OASIS catalog threat. A document may have both Public and > |> System identifiers proclaiming to be associated with the > |> Public resource. Since the document could be received from a > |> foreign system, the Public and System identifiers may no > |> longer define the same resource. The System identifiers in > |> messages received from foreign systems should have a lower > |> threshold of trust than Public identifiers. > |> > |> The 'prefer' attribute is often set to 'public' for a catalog > |> or group. And if both a Public and System identifier for the > |> resource reside in the catalog, the System replacement text > |> is used. Most developers would imply that the Public > |> replacement text should be used (See Section 4.1.1. table). > |> > |> The 'prefer' attribute should be set to 'system' to handle > |> those documents that are only generated and consumed by the > |> same system. > > I'm not sure I understand the comment. Users are free to set the > prefer attribute to system if they wish. > > The catalog standard does not specify a default value for the prefer > attribute and mandates that tools provide a way for the user to > specify it. > > Be seeing you, > norm > > -- > Norman Walsh > XML Standards Architect > Sun Microsystems, Inc. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]